The exploit doesn't simply rely on the 16bit dns XID. Rather, it's reliant on the fact that bind servers (and some others) send requests from a static port. Obviously, if you control a DNS server or you can sniff the target DNS server's path, you can figure this out.
The second part to the trick is wildcarding in DNS. I can make a large number of invalid queries to your DNS server if it allows recursing. Each query will be something like aaa.paypal.com, bbb.paypal.com, etc. Obviously, because I know your source port (or can figure it out) it's only a matter of time before I can spoof a response. So, you'll end up with a wacky A entry for somerand.paypal.com. The neat trick here is that I can also attach a NS record in the spoofed response and set the TTL very high for this entry. Now your DNS server will query my malicious DNS server for everything under paypal.com. So, yes, plan9 is vulnerable. D
